b'NOTE: Because this report assesses potential vulnerabilities in IT security, only a summary of\nthe report is posted.\n\nReport Title: Audit of NARA\xe2\x80\x99s System Administrator Rights and Controls\nReport Number: 06-11\nDate Issued: September 27, 2006\n\nAudit of NARA\xe2\x80\x99s System Administrator Rights and Controls\nThe Office of the Inspector General (OIG) performed an audit of the NARA\xe2\x80\x99s system\nadministrator rights and controls. The audit was designed to determine whether the appropriate\ncontrols, oversight, policies, and procedures are implemented over system administrator accounts\nin order to ensure that NARA systems and information are properly secured and reasonably\ncontrolled. System administrator rights and controls exist to ensure that only legitimate system\nadministrators can perform operations critical to controlling rights among other programs and\nusers.\n\nOur audit revealed that NARA\xe2\x80\x99s controls over system administrator accounts were weak and\nneeded immediate improvement. The inadequate controls governing system administrator rights\nand controls result in increased risk of system degradation due to potential mismanagement,\nhuman error, or system compromise by persons seeking to harm NARA\xe2\x80\x99s servers and\ninfrastructure devices.\n\nSpecifically, we noted weaknesses governing the removal of previously disabled system\nadministrator accounts; the enforcement of NARA password policies for system administrator\npasswords; users having root access on some servers; system logs, including the lack of logging,\nineffective log parameters, log overwrites, inconsistent log sizes, and logs not backed up or\nsaved; the number of system administrators on servers; the ability of system administrators to\ncreate an access control list of users and their rights for review as directed by the NARA\nTechnical Controls IT Handbook; the process of ensuring that system administrators have a user\nlevel account in addition to their administrator account; and the policies and procedures\ngoverning field sites and the related systems administration.\n\nWe made nine recommendations to improve NARA\xe2\x80\x99s system administrator rights and controls\nand enhance controls over information technology security. Management agreed with all but two\nrecommendations and initiated corrective action.\n\x0c'